AWS Solutions Architect Professional Test Notes

How to load balance web traffic.
1) Use ELB to uniformly distribute traffic to servers. Use Route 53 to set the ALIAS record that points to the ELB endpoint.
2) Use EIPs connecting to a Route 53 A record. Health check would ensure failure to other web servers

Amazon Elastic Transcoder is a media transcoding service in the cloud. It is highly scalable, easy to use and cost-effective way to convert media flies from one source into versions that will playback on various devices like smartphones and tablets.

AWS WAF is a web application firewall that helps protect the web application from common web exploits. Can allow or block traffic by defining customizing web security rules such as SQL injection or cross-site scripting. Users connect to an ELB in front of the WAF. The WAF will analysis the traffic and routes it to another ELB in front of the web servers.

When a user, a resource, an application or any service needs to access any AWS service or resource, always prefer creating appropriate role that has least privileged access or only required access, rather than using any other credentials such as keys.

When you have instances that need internet access but should be restricted to specific connections or updates and all other denied, use a proxy server. Proxy server acts as mediator between the client and the server it needs to reach. The instances connect to the proxy server and the proxy server evaluates the request to be sure it is allowed out. Proxy server also maintains a cache to improve performance.

VPN gateways and terminating the Ipsec tunnels on AWS support Customer gateways. 4 objects would be achieved.
1) Data encryption across the internet
2) Protection of data in transit over the internet
3) Peer Identity authentication between VPN gateway and customer gateways
4) Data integrity protection across the internet

IDS is an application that is installed on the EC2 instances that continuously monitors the VPC environment to see if any malicious activity is happening and alerts the system admins.
IPS is an appliance that is installed on the EC2 instances that monitors and analyzes the incoming and outgoing network traffic for any malicious activities prevents the malicious request for reaching to the instances.

AWS does NOT do promiscuous mode.

Always choose IAM roles over IAM users when the application/service want to access another service. IAM User needs security credentials such ans access and secret keys which can be security concerns.

DDoS attacks is an attack from multiple sources. Mitigate the attack by using Cloudfront to distribute static and dynamic content. Use an ELB with auto scaling groups. Restrict internet traffic to Database services. Add alerts to Amazon CloudWatch to look for high network in and CPU utilization. So obfuscate AWS resources, minimize surface area of attack, defend layers using WAF and autoscaling services.

Security Groups operate at the individual instance level and Network Access Control Lists operates at the subnet level. NACLs can specifically deny, Security Groups cannot. You can put in allow or deny rules into a NACL. You can only grant access in Security Groups because it is deny by default.

When a user need a single sign on.
1) set up the identity provider (federation proxy)
2) authenticate users using corporate data store / active directory / LDAP
3) get temporary access tokens/credentials using AWS STS
4) create the IAM role that has the access to the needed resource.

Encrypt data at rest.
1) native data encryption
2) third party encrypting tool
3) encrypt the data before storing on the volume

Need IP address from clients for logs, use Proxy Protocol on the ELB

If a question is asking about analyzing real time data, look for Amazon Kinesis.

CloudFront is a service that is designed to give geographically distributed user the fact access to the content by maintaining the content in the cache at multiple edge locations. Using the cache behavior of CloudFront, you can control the origin and path of the content, TTL, and control the user access using trusted signers.

If there is read contentions on the RDS Mysql instances, deploy elasticache in-memory cache and add RDS read replicas.

If EC2s in the private subnets use a NAT to connect to the internet. The NAT server must be in the public subnet. The public subnet must have a route to the internet. The private subnet has a route to the NAT. If the EC2s are having an issue getting to the internet, 1) check that the NAT network is not saturated, 2) the EC2s have to be sufficient size for the application.

Adding reserved instances to ELBs can be problematic if they are different instance types. Best to use the same instance types behind ELBs. If different use one ELB for each set of instance types and user Route 53 to load balance between the ELBs.

Stateful instances are not suitable for distributed systems. State is kept and the user must stay with the instance. Stateless instances can easily scale in/out, which will improve overall performance. Use RDS with read replicas, Elasticache, CloudFront and autoscaling for performance increases
If the question asks for performance increases, look for Elasticache, CloudFront and Read replicas for RDS. If the question asks for scalability, think DynamoDB. DynamoDB scales as need to handle huge amount of data/records. Automated notifications should be SNS.

To handle data from millions of user from the internet, use DynamoDB. To provide global users with high performance content access, use CloudFront. Use IAM Roles for front end web server to access DynamoDB.

If the user is using a mobile app, access to AWS resources/service should be using federated access using Web Identity Provider and “AssumeRoleWithWebIdentity” API.
SAML uses AssumeRoleWithSAML
LDAP can use AssumeRole

With several AWS accounts and need to manage from one. Create an IAM user in the Master account. Create cross-account roles in the other AWS accounts that have Full Admin Permission and grant the Master account access.

Real-time processing = Amazon Kinesis ( records of the stream is available for 24 hours )

Multi-AZ deployments of MySQL, MariaDB, Oracle, PostrgreSQL utilize synchronous physical replication. SQL server engine uses synchronous logical replication. ALL of them use synchronous replication.

Keeping SSL keys away from everyone except those that need to handle them. Use certificates store and IAM to restrict access. ELB can be setup by developers or those that don’t need access to the actual certificates. SSL termination on the ELB and unencrypted traffic to the EC2 instances provide a layer of security over the certificate keys. Keys can be put into HSM and have a role assigned that can access it. Put security users in that role.

OpsWork lifecycle events
setup → configure → deploy → undeploy → shutdown

Amazon Redshift starts with a single node, 160GB each

With the DeletionPolicy attribute you can preserve resource when the stack is deleted. You set the DeletionPolicy to retain. For an RDS resource the DeletionPolicy must be set to snapshot. Any resource that supports snapshots, such as Volumes, you can specify snapshot for the DeletionPolicy

AWS S3 request headers start with x-amx-
x-amz-date (current date and time of requester)
x-amz-security-token (devpay operations, temporary security credentials
x-amz- server-side-encryption

Use Elasticache to share session states instead of sticky sessions on the ELB, especially with ASP.NET. If the questions mentions highly scalable and share session states, think Elasticache

How to create a public internet facing load balancer and attach backend EC2 instances that are not publicly reachable, such as the ones created in a private subnet.
1) List the Availability Zones that have private instances you want to attache
2) Create and equal number of public subnets in the same AZ as the private instances exist.
If you have two private subnets in one AZ, you only need to create one public subnet in that AZ
3) Create the load balancer and associate the new public subnets just created.
4) Add instances by registering the private instances to the load balancer.
* ensure security groups have all necessary ports open.

CloutFormation intrinsic functions can only be used in resource properties, metadata attributes and update policy attributes.